Tag Archive for: critical

Critical, Unpatched Cisco Zero-Day Bug Is Under Active Exploit

/in


Cisco is asking customers to immediately disable the HTTPS Server feature on all of their Internet-facing IOS XE devices to protect against a critical zero-day vulnerability in the Web User Interface of the operating system that an attacker is actively exploiting. 

Cisco IOS XE is the operating system that Cisco uses for its next-generation enterprise networking gear.

The flaw, assigned as CVE-2023-20198, affects all Cisco IOS XE devices that have the Web UI feature enabled. No patch or other workaround is currently available for the flaw, which Cisco described as a privilege escalation issue that enables complete device takeover. Cisco has assigned the vulnerability a maximum possible severity rating of 10 out of 10 on the CVSS scale.

CVE-2023-20198: Maximum-Severity Flaw

“The vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access,” Cisco said in an advisory on Oct. 16 on the new zero-day bug. “The attacker can then use that account to gain control of the affected system.” Privilege level 15 on a Cisco IOS system basically means having complete access to all commands including those for reloading the system and making configuration changes.

An unknown attacker has been exploiting the flaw, to access Cisco, Internet-facing IOS XE devices and drop a Lua-language implant that facilitates arbitrary command execution on affected systems. To drop the implant the threat actor has been leveraging another flaw — CVE-2021-1435 — a medium severity command injection vulnerability in the Web UI component of IOS XE, that Cisco patched in 2021. The threat actor has been able to deliver the implant successfully even on devices that are fully patched against CVE-2021-1435 via an as yet undetermined mechanism, Cisco Talos researchers said in an a separate advisory.

Cisco said it first got wind of the new vulnerability when responding to an incident involving unusual behavior on a customer device on Sept. 28. The company’s subsequent investigation showed that malicious activity related to the vulnerability actually may have begun as early as Sept. 18. That first incident ended with the attacker leveraging the flaw to create…

Source…

FBI, CISA warn critical infrastructure organizations about AvosLocker ransomware

/in


The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint Cybersecurity Advisory (CSA) to share known indicators of compromise (IOCs), tactics, techniques and procedures (TTPs), and detection methods associated with the AvosLocker ransomware variant identified through FBI investigations as recently as May 2023.

U.S. critical infrastructure organizations across several industries — including government, financial services, and critical manufacturing — have been targeted by the AvosLocker ransomware-as-as-service (RasS) operation.

Last week’s advisory updated the March 17, 2022, joint CSA released by FBI, CISA, and the Department of the Treasury’s Financial Crimes Enforcement Network. The update included IOCs and TTPs not included in the previous advisory, as well as a YARA rule developed after analyzing a tool associated with an AvosLocker compromise.

AvosLocker’s track record of successful cyberattacks against U.S. critical infrastructure have elevated this threat to justify a government advisory from CISA and the FBI providing known IOCs, TTPs, as well as detection methods, said Darren Guccione, co-founder and CEO at Keeper Security. Guccione said the federal agencies offer concrete actions that can help to mitigate risk and impact of AvosLocker and other cyberthreats.

“CISA and FBI recommend adopting application controls, limiting the use of remote desktop services, restricting PowerShell use, requiring phishing-resistant multi-factor authentication, segmenting networks, keeping systems up-to-date, and maintaining offline backups,” said Guccione. “As ransomware operators like AvosLocker evolve their tactics, protecting your organization requires a layered approach.”

Craig Jones, vice president of security operations at Ontinue, added that the nature of threats targeting critical infrastructure such as AvosLocker will likely continue to evolve in line with technological advancements. Jones said it’s noteworthy because as infrastructure becomes progressively connected and dependent on digital systems, the possible attack surface for cybercriminals increases.

“We can expect to see more sophisticated attacks that exploit specific…

Source…

Beware AvosLocker Ransomware Attacks on Critical Infrastructure

/in


US authorities issued a warning this week about potential cyberattacks against critical infrastructure from ransomware-as-a-service (RaaS) operation AvosLocker.

In a joint security advisory, the Cybersecurity Infrastructure and Security Agency (CISA) and FBI warned that AvosLocker has targeted multiple critical industries across the US as recently as May, using a wide variety of tactics, techniques, and procedures (TTPs), including double extortion and the use of trusted native and open source software.

The AvosLocker advisory was issued against a backdrop of increasing ransomware attacks across multiple sectors. In a report published Oct. 13, cyber-insurance company Corvus found a nearly 80% increase in ransomware attacks over last year, as well as a more than 5% increase in activity month-over-month in September.

What You Need to Know About AvosLocker Ransomware Group

AvosLocker does not discriminate between operating systems. It has thus far compromised Windows, Linux, and VMWare ESXi environments in targeted organizations.

It’s perhaps most notable for how many legitimate and open source tools it uses to compromise victims. These include RMMs like AnyDesk for remote access, Chisel for network tunneling, Cobalt Strike for command-and-control (C2), Mimikatz for stealing credentials, and the file archiver 7zip, among many more.

The group also likes to use living-off-the-land (LotL) tactics, making use of native Windows tools and functions such as Notepad++, PsExec, and Nltest for performing actions on remote hosts.

The FBI has also observed AvosLocker affiliates using custom Web shells to enable network access, and running PowerShell and bash scripts for lateral movement, privilege escalation, and disabling antivirus software. And just a few weeks ago, the agency warned that hackers have been double-dipping: using AvosLocker and other ransomware strains in tandem to stupefy their victims.

Post-compromise, AvosLocker both locks up and exfiltrates files in order to enable follow-on extortion, should its victim be less than cooperative.

“It’s all kind of the same, to be honest, as what we’ve been seeing for the past year or so,” Ryan Bell, threat intelligence manager at Corvus, says of…

Source…

Software Supply Chain Security: The Basics and Four Critical Best Practices

/in


What is software supply chain security?

Modern enterprise software is typically composed of some custom code and an increasing amount of third-party components, both closed and open source. These third-party components themselves very often get some of their functionality from other third-party components. The totality of all of the vendors and repositories from which these components (and their dependencies) come make up a large part of the software supply chain. But it’s not just code, the supply chain for a software product also includes all of the people, services, and infrastructure that make it run. Adding it all up: the software supply chain is an often large and complex web of various sources of code, hardware, and humans that come together to make, support, and deliver a larger software product.

Using third-party and open source software saves your organization time and money and frees up your developers to create novel software instead of reinventing the wheel, but it comes with a cost. These components are created and maintained by individuals who are not employed by your organization, and these individuals may not have the same security policies, practices, and quality standards as you. This poses an inherent security risk, because differences and inconsistencies between policies can create overlooked areas of vulnerability that attackers may seek to exploit.

Attackers can compromise the security of the software supply chain in a number of ways including:

  • Exploiting bugs or vulnerabilities in third-party components
  • Compromising the development environment of a third party and injecting malware
  • Creating fake components that are malicious

Software supply chain security seeks to detect, prevent, and mitigate these threats and any others that stem from an organization’s third-party components. In this blog post, one of a series of guides about continuous integration and delivery (CI/CD), we look at software supply chain attacks, and how best to thwart them.

What is a software supply chain attack?

According to the U.S. National Institute of Standards and Technology (NIST), a software supply chain attack occurs when a threat actor “infiltrates a software vendor’s…

Source…